Cloudy with a Chance of Anomalies: Dynamic Graph Neural Network for Early Detection of Cloud Services' User Anomalies

TL;DR

This paper tackles early detection of cloud-service user anomalies by modeling interactions as a dynamic tripartite graph consisting of users, actions, and cloud services. It proposes CS-GAD, which computes per-frame graph embeddings via Node2vec with weighted random walks and assigns anomaly scores to users using a nearest-neighbor distance in embedding space, with new users receiving a score of zero. The approach yields lower false positive rates (2–9% improvement over a baseline) while maintaining strong detection performance, supported by a newly constructed CloudTrail-based dataset spanning five attack types and open-source code. The work advances cloud security by enabling timely responses, introducing a tripartite graph representation that incorporates action types, and providing an accessible benchmark for future research and collaboration.

Abstract

Ensuring the security of cloud environments is imperative for sustaining organizational growth and operational efficiency. As the ubiquity of cloud services continues to rise, the inevitability of cyber threats underscores the importance of preemptive detection. This paper introduces a pioneering time-based embedding approach for Cloud Services Graph-based Anomaly Detection (CS-GAD), utilizing a Graph Neural Network (GNN) to discern anomalous user behavior during interactions with cloud services. Our method employs a dynamic tripartite graph representation to encapsulate the evolving interactions among cloud services, users, and their activities over time. Leveraging GNN models in each time frame, our approach generates a graph embedding wherein each user is assigned a score based on their historical activity, facilitating the identification of unusual behavior. Results demonstrate a notable reduction in false positive rates (2-9%) compared to prevailing methods, coupled with a commendable true positive rate (100%). The contributions of this work encompass early detection capabilities, a low false positive rate, an innovative tripartite graph representation incorporating action types, the introduction of a new cloud services dataset featuring various user attacks, and an open-source implementation for community collaboration in advancing cloud service security.

Figures (4)

• Figure 1: CS-GAD Main Flow
• Figure 2: The proposed graph representation of the cloud services network. This is a tripartite graph where the green nodes represent the users, the yellow nodes represent the actions (Events), and the red nodes represent the cloud services. Edge weights are defined with respect to the number of times the users approach the actions and the services. For example, user $u_1$ conducts action $a_1$ with respect to service $s_1$. On the other hand, user $u_2$ conducts $w_2+w_3$ actions, such that $w_2$ of those are with respect to service $s_2$ while the other $w_3$ are aimed towards service $S(n-1)$.
• Figure 3: (a) Targeted Attack: CS-GAD result. The red line represents the threshold line. (b) Targeted Attack: baseline result. The red line represents the threshold line.
• Figure 4: Our results in lateral movement attack compared in different time-window sizes. Figure (a) shows the algorithm detects two users out of the five who performed that attack, while Figure \ref{['comparison']}(b) shows that our algorithm detects only one user who performed the attack